Malware Analysis Report

2024-11-16 10:50

Sample ID 240614-cpc1tsvhln
Target a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6
SHA256 a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6

Threat Level: Known bad

The file a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6 was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

Modifies Installed Components in the registry

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 02:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 02:14

Reported

2024-06-14 02:17

Platform

win7-20240221-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2452 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6.exe \??\c:\windows\system\explorer.exe
PID 2452 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6.exe \??\c:\windows\system\explorer.exe
PID 2452 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6.exe \??\c:\windows\system\explorer.exe
PID 2452 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6.exe \??\c:\windows\system\explorer.exe
PID 2956 wrote to memory of 2512 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2956 wrote to memory of 2512 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2956 wrote to memory of 2512 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2956 wrote to memory of 2512 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2512 wrote to memory of 2468 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2512 wrote to memory of 2468 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2512 wrote to memory of 2468 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2512 wrote to memory of 2468 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2468 wrote to memory of 2416 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2468 wrote to memory of 2416 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2468 wrote to memory of 2416 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2468 wrote to memory of 2416 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2468 wrote to memory of 1956 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2468 wrote to memory of 1956 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2468 wrote to memory of 1956 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2468 wrote to memory of 1956 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2468 wrote to memory of 2708 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2468 wrote to memory of 2708 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2468 wrote to memory of 2708 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2468 wrote to memory of 2708 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2468 wrote to memory of 3068 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2468 wrote to memory of 3068 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2468 wrote to memory of 3068 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2468 wrote to memory of 3068 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6.exe

"C:\Users\Admin\AppData\Local\Temp\a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 02:16 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 02:17 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 02:18 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

N/A

Files

memory/2452-1-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2452-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2452-2-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2452-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2452-4-0x0000000000401000-0x000000000042E000-memory.dmp

\Windows\system\explorer.exe

MD5 6d6000d8340d52075a77fc4538c61634
SHA1 33e45c5852f9a448e5152420c9f47951ed47b084
SHA256 e810cda46edeb2f0b175d58ef1bbb2274a7026666ce695ef6d1d644e0e40d608
SHA512 1dd06d3197ea3e1060a3245065283f387bb0c34fd7334310a5c8c98056c9bc4db763fb8cf3311403ce261946dbe27ab31572f7c9cc5598181e2d7fcee153c560

memory/2452-11-0x0000000002CB0000-0x0000000002CE1000-memory.dmp

memory/2956-18-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2956-22-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\spoolsv.exe

MD5 7c8a684bfb8d828778ead8b3bf36f2fd
SHA1 1f9479fa42467ecd30b17555e7d6e119a5d67602
SHA256 2e4afbe778824e150077b3d1ec854161fb69b1364fc941d2006a0ea070d84955
SHA512 09abae03a31cc95ef59de263d835dee621cb1195727f2dfd0a0fb110f8bd661b5eae23045aa6244afb1bbe4343fd471193086c4b803390f0b2b7a44784f97513

memory/2512-35-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2956-34-0x0000000001F80000-0x0000000001FB1000-memory.dmp

memory/2512-36-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2512-41-0x0000000000400000-0x0000000000431000-memory.dmp

\Windows\system\svchost.exe

MD5 c6c2e9400e656ccc61985b6454021e19
SHA1 a939cd9831ed2b0afd913ac1655c5dee63837fc1
SHA256 56ceee886b567c4527d27ebbe8277804dd75f671533e75b3c4ea60bbbc1d0f21
SHA512 fe920cd4c201611803c9637ac8bb936ecab9dac4ad6aec28fbadf31c99115994e30600f297136e527e8be2ab34b9641fe360396e9647f84cfa1c752cbe9a2dcf

memory/2468-55-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2452-54-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2512-52-0x00000000025F0000-0x0000000002621000-memory.dmp

memory/2512-51-0x00000000025F0000-0x0000000002621000-memory.dmp

memory/2468-56-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2468-62-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2452-60-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2468-67-0x00000000029E0000-0x0000000002A11000-memory.dmp

memory/2416-68-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2416-74-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2512-77-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2452-80-0x0000000000401000-0x000000000042E000-memory.dmp

memory/2452-79-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 9e61bdb7a3896af1f3472d16f6b08c17
SHA1 f99a553652b6ef4195bbfa0478a9a743eec4936e
SHA256 5e154d1569d4bd4b5bd509ee047b40b9e38e012b99e17bbafe3903fe9ba2f31e
SHA512 58747aa83a9a6f3865263c1bf819da4304d03594e639cf20af405ac40e05e753080f5ecfdae9eb5007d8f8eb40a7e3cbcddf248b975e90745934e4d438d0aa87

memory/2956-82-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2956-83-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2468-85-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2956-94-0x0000000000400000-0x0000000000431000-memory.dmp

\??\PIPE\atsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 02:14

Reported

2024-06-14 02:17

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5076 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6.exe \??\c:\windows\system\explorer.exe
PID 5076 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6.exe \??\c:\windows\system\explorer.exe
PID 5076 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6.exe \??\c:\windows\system\explorer.exe
PID 1680 wrote to memory of 408 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1680 wrote to memory of 408 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1680 wrote to memory of 408 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 408 wrote to memory of 4572 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 408 wrote to memory of 4572 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 408 wrote to memory of 4572 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 4572 wrote to memory of 1652 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 4572 wrote to memory of 1652 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 4572 wrote to memory of 1652 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 4572 wrote to memory of 4128 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4572 wrote to memory of 4128 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4572 wrote to memory of 4128 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4572 wrote to memory of 2092 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4572 wrote to memory of 2092 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4572 wrote to memory of 2092 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4572 wrote to memory of 3752 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4572 wrote to memory of 3752 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 4572 wrote to memory of 3752 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6.exe

"C:\Users\Admin\AppData\Local\Temp\a693f5a78c3cedcf9c7755dfcddc26a06b8a753524d72bc84d1eec9a894241f6.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 02:16 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 02:17 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 02:18 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/5076-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/5076-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/5076-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/5076-2-0x0000000075720000-0x000000007587D000-memory.dmp

memory/5076-4-0x0000000000401000-0x000000000042E000-memory.dmp

C:\Windows\System\explorer.exe

MD5 4e91b4d262032edcae9eebeae738aa70
SHA1 a2c3e7691d7e05ba385ccb4351e47adfc41b6600
SHA256 4a5d9092d4d5e5e0e57b7a2fda086b7857bf7ec10ad81d9dc9f76f8f0663e20f
SHA512 9f295f0edc4e6f61aba2c28d5ada6cc98a1a5e1178d139b648ebf343e7edd5106fb2003072b0c6c42215ccab6b79b2c1d19381f3b65fb66ed721d4b0b97e1a2b

memory/1680-13-0x0000000075720000-0x000000007587D000-memory.dmp

memory/1680-16-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 e0ff28ba8a1a34612d241653d875954b
SHA1 08828d6a15c76c93eae9c5e73b8d85ed77c682bb
SHA256 6cf7d356f5bc31122022ca0fae533b3046469806dc79b3708e9644d4f049ee66
SHA512 598532d1eebf5b6dfe9b855f4139b33ccd8cf7396afb653e51ad2c57a4d905139e527dad516e2db94032752eaad558966957d2c8cc29a816a78ae973bece65d7

memory/408-24-0x0000000075720000-0x000000007587D000-memory.dmp

memory/408-28-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\svchost.exe

MD5 80c8187a04679aa1f3bc0ff9c45dbb29
SHA1 04d95cb6ef1fcd66a48543bd03bd2d1c6038951f
SHA256 f8321a7aef4fa3160921ec6234a7bf3091989ae806eeafdb45c8594b37e8893e
SHA512 b81476437e7ecdd8b7fc6f279ef31bd790c02779600afa3f2ef6f2c72f0f8ca30c6eac6f555ec53bafd7a024bd3b06e7b93b9a4a52a03e7ceb2bfc86124091c0

memory/4572-35-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4572-36-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4572-37-0x0000000075720000-0x000000007587D000-memory.dmp

memory/4572-41-0x0000000000400000-0x0000000000431000-memory.dmp

memory/5076-44-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/5076-45-0x0000000000401000-0x000000000042E000-memory.dmp

memory/1652-46-0x0000000075720000-0x000000007587D000-memory.dmp

memory/1652-53-0x0000000000400000-0x0000000000431000-memory.dmp

memory/5076-58-0x0000000000401000-0x000000000042E000-memory.dmp

memory/5076-57-0x0000000000400000-0x0000000000431000-memory.dmp

memory/408-56-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 0103845767a62053863a1bf06eee5712
SHA1 4403dfeeb27e50074dd3b4670d2140261f6030b1
SHA256 d6cb7c9d450e3f8b58f3d0aa235a0739782d70bf4acbf967f75f2a992d9cc969
SHA512 1efaccff0e86ac6a6b800dce8f30c46b7dfb2c8a7a59fbfa13d86cd94e06801746b976cb63f6476e1b8f8bf2da784d5d6b7d18569c365c7d37385fabbeb5cf20

memory/1680-60-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4572-62-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1680-71-0x0000000000400000-0x0000000000431000-memory.dmp